Why Medium-sized Companies Waste 80% of Their IT Security Budget
In 2008 I was involved in a research project that looked at the effectiveness of training IT engineers and administrators. The program used scientific methods to evaluate technical product training against control groups with no training in their trades’ tools and technologies. As an interesting side note, that research company would go on to be purchased and rebranded as Microsoft MODL.
The research yielded some surprising results. Unfortunately, I can’t divulge those here because of that pesky NDR I signed. Even though I doubt my non-disclosure agreement is still in effect, I don’t want to poke any litigious sleeping bears. However, plenty of wonderful findings were released to the public in the presentations at the time, some of which I can share with you in this article.
The Value of Training IT Professionals
The first question the research sought to answer was, “Is training IT professionals worth it?”
The research firm recruited a statistically significant number of IT professionals with closely aligned job roles.
• The test group of professionals received either in-person or remote (virtual) training.
• The control group with at least five or more years of on-the-job experience received no training.
In the next phase of the research, the IT professionals were given lab environments and asked to use all of the primary features of the IT products owned by their organization. One year later, the IT professionals were surveyed and asked what product features they had used in the elapsed time (again against a control group).
The results were staggering. In the lab exercises, the trained IT professionals could use 60% to 80% more features than the self-taught IT professionals. However, this does not tell a complete and valuable story, as not all organizations use all features of every IT product. A self-taught employee could learn to use a feature when it is “needed.”
The most stunning and valuable knowledge gained is that the trained IT professionals used over 50% more features a year later than the untrained professionals. The adage “you will use what you know” rings true in this case.
On-the-job training and self-training do not prepare IT professionals to be confident and competent beyond a minimum core number of product features. Thus wasting more than half of the hardware and software investment.
Making the Most of Your IT Security Hardware and Software Investments
I have plenty of questions this research did not answer:
• How long does it take self-trained IT professionals to implement features?
• Does training lower the time it takes to troubleshoot problems?
• Would a broad understanding of a product enhance productivity and security?
Even with the remaining questions, the takeaways for me are clear.
If you spend $100,000 on IT security hardware and software (arguably some of the most complicated and knowledge-intensive IT products available) and don’t formally train the employees that will be using it, you may have just wasted $80,000 of your investment. And that calculation doesn’t factor in all potential costs. How would we even calculate the cost over time of missing these features? Or the cost of if these unused features could have prevented a security breach?
At Cadre, we are big believers in giving IT and security professionals the tools and training they need to not only pass industry certifications – but also to be the most successful with their deployed security solutions. Learn more in our blog, How to Choose a Security Training Course.